Hi all, I submitted the original post and while I agree that fetching the list of trackers in the clear isn't itself insecure, it does raise questions about the end-to-end exchange. The subsequent connections appear to be encrypted, though I haven't analyzed them in detail, they do "nonce" here and there and generally look sufficiently unintelligible as to provide confidence. That being said, I guess the primary concern is whether an attacker could inject or induce a connection to an untrusted tracker and thereby cause a client to disclose its secret key, protected data, or surreptitiously join a swarm. E.G.: A MITM/ session-replay attack which captures the initial exchange, forwards it to a malicious peer, and proxies the rest of the connection. Just because the connection is encrypted does not ensure that its initial identity is known.
